%%%%%%%%%%%%%%%%%%%%%%% file template.tex %%%%%%%%%%%%%%%%%%%%%%%%%
%
% This is a general template file for the LaTeX package SVJour3
% for Springer journals.          Springer Heidelberg 2010/09/16
%
% Copy it to a new file with a new name and use it as the basis
% for your article. Delete % signs as needed.
%
% This template includes a few options for different layouts and
% content for various journals. Please consult a previous issue of
% your journal as needed.
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
% First comes an example EPS file -- just ignore it and
% proceed on the \documentclass line
% your LaTeX will extract the file if required
\begin{filecontents*}{example.eps}
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 19 19 221 221
%%CreationDate: Mon Sep 29 1997
%%Creator: programmed by hand (JK)
%%EndComments
gsave
newpath
  20 20 moveto
  20 220 lineto
  220 220 lineto
  220 20 lineto
closepath
2 setlinewidth
gsave
  .4 setgray fill
grestore
stroke
grestore
\end{filecontents*}
%
\RequirePackage{fix-cm}
%
%\documentclass{svjour3}                     % onecolumn (standard format)
%\documentclass[smallcondensed]{svjour3}     % onecolumn (ditto)
\documentclass[smallextended]{svjour3}       % onecolumn (second format)
%\documentclass[twocolumn]{svjour3}          % twocolumn
%
\smartqed  % flush right qed marks, e.g. at end of proof
%
\usepackage{graphicx}

\usepackage{cite}
\usepackage{enumerate}      % �����@������\begin{itemize}�������ſ�����
\usepackage{amsmath}        % �����@������\tag �������ſ�����
%
% \usepackage{mathptmx}      % use Times fonts if available on your TeX system
%
% insert here the call for the packages your document requires
%\usepackage{latexsym}
% etc.
%
% please place your own definitions here and don't use \def but
% \newcommand{}{}
%
% Insert the name of "your journal" with
% \journalname{myjournal}
%

\begin{document}

\title{Novel Untraceable Authenticated Key Agreement Protocol Suitable for Mobile Communication}
%\thanks{Grants or other notes
%about the article that should go on the front page should be
%placed here. General acknowledgments should be placed at the end of the article.}


%\titlerunning{Short form of title}        % if too long for running head

\author{Chin-Chen Chang \and Hai-Duong Le \and  Ching-Hsiang Chang}

%\authorrunning{Short form of author list} % if too long for running head

\institute{     Chin-Chen Chang \at
                Department of Information Engineering and Computer Science,
                Feng Chia University,
                No. 100 Wenhwa Rd., Seatwen,
                Taichung 40724, Taiwan, R.O.C.
                \\
                Tel.: 886-4-24517250 ext. 3790\\
                Fax: 886-4-27066495\\
                \email{alan3c@gmail.com}           %  \\
%               \emph{Present address:} of F. Author  %  if needed
           \and
                Hai-Duong Le \at
                Department of Information Engineering and Computer Science,
                Feng Chia University, Taichung, 40724, Taiwan, R.O.C.\\  
                \email{duonghaile@gmail.com}     
           \and 
                Ching-Hsiang Chang \at  Department of Information Engineering and Computer Science,
                Feng Chia University, Taichung, 40724, Taiwan, R.O.C. \\  
                \email{u9010801@gmail.com}
}


\date{Received: date / Accepted: date}
% The correct dates will be entered by the editor


\maketitle


%\end{document}  %�@���Z���Y�����ęn���������Ծ��g����pdf���]��������



\begin{abstract}
Communication network has grown to the stage where it becomes ubiquitous. It allows us to access to on-line services at anytime, anywhere and by any devices. This brings out new services, that was previous only accessible via computers, now are available on mobile devices such as e-commerce applications. These applications require mobile users to be authenticated in order to use the services. In this paper, we proposed a novel  authenticated key agreement scheme that allows  users and servers mutually authenticate each other. Our scheme also conceals users' identities from adversaries; this is provided in initiator untraceability property of the scheme. Furthermore, the scheme has good computation cost as well as communication and storage costs; thus, the proposed scheme is suitable for the mobile devices.
\keywords {Authentication \and key agreement \and untraceable  \and  anonymity  \and smart card  \and  mobile communication }
% \PACS{PACS code1 \and PACS code2 \and more}
% \subclass{MSC code1 \and MSC code2 \and more}
\end{abstract}

\section{Introduction}
\label{intro}

In distributed computing, client-server model is a distributed application architecture that provides a convenient method to interconnect clients' applications to servers. Clients communicate with servers over computer networks which are normally insecure, especially in the case of Internet. Moreover, in many applications, it is required that communicating partners identify each other before exchanging information. Therefore, it is required to design a protocol that provides authenticity and confidentiality of communication in client-server model. There are many authenticated key agreement schemes proposed to fulfill the aforementioned requirements. Among them, password authentication key agreement schemes are widely used in combination with smart card \cite{ RefJ03, RefJ05, RefJ08, RefJ02, RefJ04} to increase the level of security.

In this type of authenticated key agreement schemes, a registered user who knows a password and possesses a smart card issued by an organization can mutually authenticate and establish a secure communication channel with their servers. In 2008, Juang et al. proposed a robust and efficient user authentication and key agreement scheme  that provides mutual authentication, key agreement, identity protection at high performance \cite{RefJ04}. In 2009, Li et al. \cite{RefJ08}  improved  Juang et al.'s scheme with initiator untraceability property while trying to reserve the efficiency as in Juang et al.'s. However, the latter scheme has some weaknesses. First, since the scheme employs verification table in authenticating users, an adversary can bring down the entire system by modifying or destroying the content of verification table. Second, it is subject to off-line password guessing attack. Lastly, Li et al.'s scheme is constructed by both secret key and public key encryptions, which trades in its performance and gives rise to the problem of public key management.

In this paper, we proposed a novel password authentication key agreement scheme that can provide mutual authentication, session key agreement, and initiator untracability properties. Moreover, the proposed scheme overcomes the limitations in Li et al.'s  and has better performance comparing to their scheme.
The notation used in this papers are listed in the following.

\begin{tabular} {l p{10cm}}
$U$ & the user \\
$ID$ & the identity of $U$ \\
$PW$ & the password of $U$ \\
$S$ & the remote server \\
$s$, $s_1$, $s_2$ & long term secret keys of $S$ \\
$h(\cdot)$ & a public one-way hash function \\
$E_s(\cdot)$/$D_s(\cdot)$ &  a secure symmetric encryption/decryption algorithm with the secret key $s$ \\
$N$, $r$ & two random numbers \\
$p$ & a large prime number \\
$E_p$ & an elliptic curve equation over $Z_p$ \\
$G$ & a generator point of large order \\
($x$, $P_S$) & the pair of server's private and public keys based on elliptic curve cryptosystem  \\
\end{tabular}

\section{Related work}
\label{sec:1}
%Text with citations \cite{RefB} and \cite{RefJ}.%�@��ԓ��ģ������Z�䣬�҄h���

\subsection{Review of Li et al.'s scheme}
In this section, we review Li et al.'s password-authenticated key agreement scheme in brief. The scheme has totally five phases: parameter generation, registration, precomputation, log-in and password-changing.


\subsubsection{Parameter generation}
Li et al.'s scheme is based on hash function, symmetric encryption and the elliptic curve discrete logarithm problem. The system needs to generate the following parameters:

\begin{itemize}
\item First, the server chooses a large prime $p$ and two field elements $a \in Z_p$ and $b \in Z_p$, where $a$ and $b$ must satisfy $4a^3+27b^2\pmod p$.
\item The server then finds a generator point $G$ of large order.
\item The server selects a random number $x$ as its private.
\item Lastly, the server computes the public key $P_S=xG$ and publishes the set of parameters $\{P_S, p, E_p,G\}$.
\end{itemize}

There are some assumptions regarding the sizes of the parameters used in the scheme as follows.
\begin{itemize}
\item Both the block size of the block cipher $E_s(\cdot)$ and the output of hash function $h(\cdot)$ are 128 bits.
\item The sizes of user identity 
$ID$ and card identity $CI$ are both 32 bits.
\item The sizes of all the random numbers used in the system are 64  bits.
\end{itemize}

\subsubsection{Registration phase}
The registration phase is performed once for each user in the following steps.
\begin{enumerate}[Step 1]
\item A user $U$ with identity $ID$ chooses a password $PW$, a random number $b$ and a random nonce $N_0 \in_R \{0,1\}^{64}$ . Then, he gives
\begin{equation*}
\label{1}
\tag{1}
\{ID, h(PW\|b),N_0\}
\end{equation*}
to the server $S$ for registration.

\item After receiving $\{ID, h(PW\|b), N_0\}$, the server creates the card identity $CI$, which is issued to the card. The server stores $\{ID, CI, N_0\}$ in the server's registration table. $S$ issues the card to the user $U$; the card contains the following information

\begin{equation}
\label{2}
\tag{2}
\{b^{N_0}_{ID}, V_{ID},ID,CI\},
\end{equation}
where
$$b^{N_0}_{ID}=E_s((ID\|CI\|N_0)\|((ID\|CI\|N_0) \oplus h(PW\|b))\|TAG_0),$$
$$TAG_0= h((ID\|CI\|N_0)\|((ID\|CI\|N_0) \oplus h(PW\|b)))$$
and $$V_{ID}=h(ID\|s\|CI)$$

\item Upon receiving the card, the user $U$ writes $b$ into the card memory; as a result, the card memory contains  $\{b^{N_0}_{ID}, V_{ID}, ID, CI, b\}$.
\end{enumerate}

\subsubsection{Precomputation phase}
In this phase, the smart card computes $e = rG, c=rP_s=rxG$ as points over $E_p$, where $r$ is a random number. $e$ and $c$ are stored in the smart card memory for later use in authentication and key agreement.

\subsubsection{Log-in phase}
In order to authenticate with the server, the user inserts his smart card into card reader and keys in his password. Then, the user's system communicates with the server to established authentication and key agreement as follows.
\begin{enumerate}[Step 1]
\item The card chooses a nonce $N_1 \in_R {0,1}^{64}$, and sends

\begin{equation}
\label{3}
\tag{3}
\{b^{N_0}_{ID},E_{V_{ID}}(N_1\|e)\}
\end{equation}

to the server.
\item Upon receiving $\{b^{N_0}_{ID},E_{V_{ID}}(N_1\|e)\}$, the server $S$ obtains $ID$, $CI$, $N_0$, $h(PW\|b)$ by decrypting $b^{N_0}_{ID}$ and validates $\{ID,CI,N_0\}$ against the registration table. If $b^{N_0}_{ID}$ is valid, the server decrypts $E_{V_{ID}}(N_1\|e)$ to gain $N_1$ and $e$. Then, the server updates registration table by replacing $N_0$ with $N_1$; the entry for user $U$ in registration table becomes $\{ID,CI,N_1\}$. The server selects $u \in_R {0,1}^{64}$, and computes $$c=xe$$ and $$M_S=h(c\|u\|V_{ID}).$$
Next, server sends to the card the message
\begin{equation}
\label{4}
\tag{4}
\{Nb1, u \oplus h_{64}(b^{N_1}_{ID}),M_S\},
\end{equation}
where $h_{64}(b^{N_1}_{ID})$ is the first 64 bits of $h(b^{N_1}_{ID})$ and\\
$$b^{N_1}_{ID}=E_s((ID\|CI\|N_1)\|((ID\|CI\|N_1) \oplus h(PW\|b))\|TAG_1),$$
$$TAG_1=h((ID\|CI\|N_1)\|((ID\|CI\|N_1) \oplus h(PW\|b)))$$
and $$Nb1=b^{N_1}_{ID} \oplus (h(N_1\|e\|1)\|h(N_1\|e\|2)\|h(N_1\|e\|3)).$$

\item The smart card obtains $b^{N_1}_{ID}$ from $Nb1$ with the knowledge of $N_1$ and $e$. The card also derives $u$ from $u \oplus h_{64}(b^{N_1}_{ID})$; then, it verifies whether $h(c\|u\|V_{ID})$ is equal to $M_S$. If it is true, the card sends
\begin{equation}
\label{5}
\tag{5}
M_U=h(h(PW\|b)\|V_{ID}\|c\|u)
\end{equation}
to server for authenticating itself.

\item The server verifies whether $M_U \stackrel{?}{=}h(h(PW\|b)\|V_{ID}\|c\|u)$ holds. If it holds, the server accepts the log-in request of user $U$. Thus,  the smart card and the server successfully authenticate each other and share a session key $k=h(V_ID\|c\|u)$.

\end{enumerate}

\subsubsection{Password changing phase}
Before changing the password, a user needs to log-in and shares a session key with the server. Then, $U$ chooses a new password $PW^*$ and a new random string $b^*$. The card sends password-changing message

\begin{equation}
\label{6}
\tag{6}
\{E_k((ID\|CI\|N^*)\|h(PW^*\|b^*))\}
\end{equation}

to server, where $N^* \in_R {0,1}^{64}$.

After receiving password-changing request, the server derives $ID$, $CI$, $N^*$, $h(PW^*\|b^*)$ by decrypting the cipher $\{E_k((ID\|CI\|N^*)\|h(PW^*\|b^*))\}$ using the session key $k$. The server $S$ updates the entry $\{ID,CI,N\}$ in the registration table with $\{ID,CI,N^*\}$. Then, the server sends to the user $U$ the response message

\begin{equation}
\label{7}
\tag{7}
\{E_k(b^{N*}_{ID}\|ID\|CI\|N^*)\},
\end{equation}

where
$$b^{N^*}_{ID}=E_s((ID\|CI\|N^*)\|((ID\|CI\|N^*) \oplus h(PW^*\|b^*))\|TAG^*)$$ and
$$TAG^*=h((ID\|CI\|N^*)\|((ID\|CI\|N^*) \oplus h(PW^*\|b^*))).$$


Upon receiving the server's response, the smart card decrypts response message and verifies the extracted $ID$ and $CI$. After that, it replaces $b^{N}_{ID}$ and $b$ with the newly derived values of $b^{N^*}_{ID}$ and $b^*$ respectively. The password-changing procedure is accomplished and the smart card contains $\{b^{N^*}_{ID}$, $V_{ID}$, $ID$, $CI$, $b^*\}$ in its memory.

\subsection{Weaknesses of Li et al.'s scheme}


In this section, we discuss some weaknesses adhered to Li et al.'s scheme. Firstly, the scheme deploys a verification table used for authenticating  clients. For each user, the server has to spend an extra cost of storage for keeping user's authentication information. And for each user's login, there is computation cost in accessing as well as updating the table. The most serious threat is that this table might subject to illicit modification or deletion on a part of the table or even the whole table. This type of attacking on verification table can lead to denial of authentication service to a certain group of users or to all the users of the system.

Secondly, the scheme deploys both secret key and public key encryptions. The server has to keep a secret key as well as a private key for this scheme. At the client side, the smart card has to perform both secret key encryption and elliptic curve multiplication. Moreover, the public key encryption might incur a cost to build and maintain a public key management system.


The next weakness of the scheme is that adversaries can mount online-password guessing attack on the system if the adversary can somehow get a user's smart card. The scheme does not provision any mechanism to prevent this type of attack. This problem can be solved by limiting the number of unsuccessful logins in a period of time.

The last concern is when the smart card executes the precomputation phase and how long the values $e$ and $c$ are stored in the memory. As described in Li et al.'s, we can argue that an attacker can steal a user's smart card in which the values $e$ and $c$ are still in the card's memory. If this happens, the scheme is susceptible to off-line password guessing attack, which allows attacker to obtain insecure low-entropy user's password with high probability. We describe the attack as follows.

Suppose that the attacker $A$ passively collects all the login phase messages (3), (4) and (5) between the user $U$ and the server $S$. $A$ then steals the smart card from the user $U$. As known in the studies \cite{RefJ06, RefJ09}, it is possible for the attacker to extract stored secret values $\{b^{N_0}_{ID}$, $V_{ID}$, $ID$, $CI$, $b\}$ from a smart card as well as the values of $e$ and $c$ which were computed in precomputation phase and stored in the memory of the smart card. From the message (3), $A$ can use $V_{ID}$ to decrypt and obtain $N_1$. Using $N_1$ and $e$, the attacker can derive  $u$ from the message (4). At this stage, the attacker has known $V_{ID}$, $b$, $c$, and $u$. Now $A$ can obtain the password $PW$ of $U$ by guessing all possible passwords $PW'$'s iteratively. For each $PW'$, the attacker computes $=h(h(PW'\|b)\|V_{ID}\|c\|u)$ and verifies the result  against the values of message (5), which is $M_U$. If there is $PW'$ that $h(h(PW'\|b)\|V_{ID}\|c\|u) = M_U$, the attacker has successfully guess the password of the user $U$ and uses $PW'$ to access to the server $S$.

The attack is possible because the shared secret $V_{ID}$ is unprotected in the smart card. We suggest that $V_{ID}$ should be stored securely in the smart card by masking (bit-wise XOR) it with $h(PW\|b)$ .

\section{The proposed scheme}
In this section, we propose a new scheme that overcomes the weakness in Li et al.'s scheme. It also provides better performance comparing to Li et al.'s. The proposed scheme does not employ public key algorithm as in Li et al.'s scheme; thus, it does not required the public key management mechanism such as X.509. Moreover, there is no verification table is needed in our scheme. The scheme consists of three phases: registration phase, login phase, and password-changing phase.

\subsection{Registration phase}
\begin{enumerate}[Step 1]
\item  A new user $U$ chooses his password $PW$ and a random number $r_0$; then, $U$ sends to server $S$ the registration request message

\begin{equation}
\label{1a}
\tag{1a}
\{ID,h(PW) \oplus r_0 \}
\end{equation}

for registration.

\item After receiving $\{ID,h(PW) \oplus r_0 \}$ from  $U$, server $S$ generates random number $r$ and computes the following parameters:
\begin{itemize}

\item $V = h(ID\|r)$
\item $IM = E_{s_1}(ID\|r) \oplus s_2  $,  where $E_{s_1}(\cdot)$ is a secure symmetric encryption function with the permanent secret key $s_1$. The random number $s_2$ is kept by the server $S$ as another long-term secret.

\item Server writes into the smart card the values

\begin{equation}
\label{2a}
\tag{2a}
\{V_1,IM\},
\end{equation}

where  $V_1=V  \oplus h(PW)  \oplus  r_0$; then, it issues the smart card to the user $U$.
\end{itemize}

\item When $U$ receives the smart card, he performs smart card activation in which $V_1$ is replaced by $V_2=V_1 \oplus r_0=V \oplus h(PW)$. After this stage, the memory of the card contains $\{V_2,IM\}$ and the card is ready for use in authentication.

Explaination: the random number $r_0$ is used only in registration phase. It masks the value of h(PW) so that we can prevent from insider attack \cite{RefJ07}.

\end{enumerate}

\subsection{ Login phase}
In this phase, the user $U$ and the server $S$ perform mutual authentication and establish a common session key. To enhance the security of our scheme, we make an assumption that the $S$ will allow only a certain number of failed login attempts over a period of time. This assumption is made in order to prevent on-line dictionary attack when a valid smart card is either stolen or lost and falls into wrong hands - attackers. To establish mutual authentication and a shared-key, the smart card collaborates with the server in the following procedure.

\begin{enumerate}[Step 1]
\item When user $U$ wants to login the server $S$, he inserts his smart card into the card reader and keys in his password $PW$. First, the smart card generates a random number $r_1$, derives $V$ from $V_2$ by $V=V_2 \oplus h(PW)$, and computes $T_1=h(V \oplus r_1)$. Then, the card transmits the login request

\begin{equation}
\label{3a}
\tag{3a}
\{r_1,T_1,IM\}
\end{equation}
to the server.

\item Upon receiving the login request message, $S$ uses its long-term secret keys $s_1$ and $s_2$ to decrypt $IM$, $D_{s_1}(IM \oplus s_2)= (ID \|r)$. Thus, it obtains $ID$ and $r$. $S$ then computes $V'=h(ID \| r)$ and verifies the login request message by checking if $h(V' \oplus r_1)=T_1$ holds. In the case of inequality, the server $S$ rejects the user's login request and terminates the session. If the equality holds, the identity $ID$ of $U$ is authenticated, $S$ chooses a random number $r_{new}$ and computes new values of $V$ and $IM$ as follows.
\begin{itemize}
\item $V_{new}=h(ID\|r_{new})$.
\item $IM_{new}=E_{s_1}(ID\|r_{new}) \oplus s_2$.
\end{itemize}

Then, a random number $r_2$ is chosen by the server to compute and send to the card the response message

\begin{equation}
\label{4a}
\tag{4a}
\{T_2=E_{V'}(r_2,IM_{new},V_{new},r_1)\}.
\end{equation}

\item The card decrypts $T_2$ and checks the integrity of $T_2$ by verifying the value of $r_1$ extracted from the cipher $T_2$.  If $r_1$ is invalid, the card terminates the session; otherwise, it believes that $T_2$ came from $S$ since the server $S$ can compute correct value of $V$ but no other can. The smart card also obtains $r_2$, $IM_{new}$, $V_{new}$ as the result of the decryption. And then it computes the session key $K=h(r_2\|V)$. The values of $IM$, $V_2$ in the card's memory are replaced by $IM_{new}$, $V_{new} \oplus h(PW)$, respectively. Finally, the card sends to the server $S$ the message

\begin{equation}
\label{5a}
\tag{5a}
\{T_3=h(K+1)\}.
\end{equation}

\item Upon receiving $T_3$, the server computes the session key $K'=h(r_2\|V')$ and verifies whether $h(K'+1)$ is equal to $T_3$. If it fails, the server closes the session to reject the failed login attempt; or else, the server accepts the log-in request.

\end{enumerate}

After the previous step, $S$ and $U$ have successfully authenticated each other and shared a session key $K$ for subsequent communication. Moreover, the scheme provides explicitly key confirmation since the server $S$ is assured that the user $U$ has computed the session key $K$ correctly, and no one except $U$ can compute $K$.

\subsection{Password changing phase}
In this phase, it is required for the user to login before the password is changed. When the user $U$ wants to change his password, he inserts his smart card into card reader and enters his current password $PW$. First, the card authenticates the user against the server $S$. If the authentication is successful, the smart card requests the user to keys in his new password $PW_{new}$. Then, the card computes ${V_2}_{new} = V_2 \oplus h(PW) \oplus h(PW_{new})$. The last step is to replace $V_2$ with  ${V_2}_{new}$ in the smart card's memory. Finally, $U$ has successfully changed his password to $PW_{new}$.

\section{Evaluations of the proposed scheme}
\subsection{Security Analysis}
\subsubsection{Authenticated key agreement}
In 1990, Burrows, Abadi and Needham \cite{RefJ01} formalized a method for logically analyzing protocols in computer networks. The method is widely known as BAN logic. It is used here to prove that the proposed scheme provides authentication and key agreement.   We need to prove that
$A$ \emph{believes} $S$ \emph{believes} $A \stackrel{K}{\longleftrightarrow}S$ and $S$ \emph{believes} $A$ \emph{believes} $A \stackrel{K}{\longleftrightarrow}S$, where $K$ is the session key.

We idealize the protocol as follows:
\begin{itemize}
\item \emph{Message 3a.} $A \rightarrow S$: $r_1, h(V,r_1), \{ID,r\}_{s_1}$ .
\item \emph{Message 4a.} $S \rightarrow A$: $\{r_2, IM_{new}, V_{new}, r_1\}_V$ .
\item \emph{Message 5a.} $A \rightarrow S$: $h(K)$ .
\end{itemize}

Since $S$ \emph{believes} $\stackrel{s_1}{\mapsto} S$, where $s_1$ is the secret key of $S$, and  $S$ \emph{sees} $\{ID,r\}_{s_1}$, so $S$ \emph{believes} $S$ \emph{said} ($ID, r$). Thus, $S$ \emph{believes} $V$, since $V=h(ID,r)$. Also, $S$ \emph{believes} $S \stackrel{V}{\rightleftharpoons}A$, because only $A$ with the correct password $PW$ can retrieve $V$ from his smart card. Analyzing message (3a) further, we get

\begin{equation}
\label{4.1}
\tag{4.1}
S \text{ \emph{believes} } A \text{ \emph{said} }  r_1
\end{equation}
because $S$ \emph{believes} $S \stackrel{V}{\rightleftharpoons}A$ and $S$ \emph{sees} $h(V, r_1)$.

Upon receiving message (4a), the \emph{message-meaning rule} is applied and yields $A$ \emph{believes} $S$ \emph{said} ($r_2, IM_{new}, V_{new}, r_1$), since $A$ \emph{belives} $A \stackrel{V}{\longleftrightarrow}S$ and $A$ \emph{sees} $\{r_2$, $IM_{new}$, $V_{new}$, $r_1\}_V$. $r_1$ is a random number chosen by $A$ for the current session, thus $A$ \emph{believes} $fresh(r_1)$. According to the \emph{nonce-verification rule},
\begin{equation}
\label{4.2}
\tag{4.2}
A \text{ \emph{believes} } S \text{ \emph{believes} } r_2, IM_{new}, V_{new} \text{ ;}
\end{equation}
therefore,
\begin{equation}
\label{4.3}
\tag{4.3}
A \text{ \emph{believes} } S \text{ \emph{believes} } A \stackrel{K}{\longleftrightarrow}S
\end{equation}
since $K=(r_2\|V)$.

When $S$ receives message (5a), the \emph{message-meaning rule} yields
\begin{equation}
\label{4.4}
\tag{4.4}
S \text{ \emph{believes} } A \text{ \emph{said} } K
\end{equation}
since $S$ \emph{believes} $A \stackrel{V}{\rightleftharpoons}S$ and $K=h(r_2\|V)$. Moreover, because $S$ \emph{believes} $r_2$ is \emph{fresh}; thus, the \emph{nonce-verification rule} yields
\begin{equation}
\label{4.5}
\tag{4.5}
S \text{ \emph{believes} } A \text{ \emph{believes} } A \stackrel{K}{\longleftrightarrow}S \text{ .}
\end{equation}

From the results (4.3) and (4.5), we conclude that the proposed scheme provides mutual authentication and key agreement between $A$ and $S$.

\subsubsection{Known session key attack}
The notion of known session key attack can be described as the situation where an adversary obtains old session keys and successfully derives the session keys in subsequent sessions.  In our scheme, the session key $K=h(r2\|V)$ is fresh for each session, since the random number $r_2$ is newly chosen by server every time it authenticates a user. $r_2$ is also encrypted by the secret $V$ and securely sent to client, where $V$ is, as well, fresh for each session. Therefore, this type of attack is not possible in our scheme.

\subsubsection{Forward secrecy}
Our scheme also reserves forward secrecy attribute. It means if an adversary obtains the long term secrets from server and user's smart card, he still cannot deduce the session keys of previous sessions. This attribute is held since the construction of session key $K$ is independent from the long term secrets. $K$ consists of fresh random parameters like $r_2$ and $V$.

\subsubsection{Initiator anonymity and untraceability}
In our scheme, the initiator identity is concealed. In the login phase and password changing phase, the identity of a user does not transfer to the server in plaintext. The only way to obtain the user's identity from the conversations between the server and the user is to decrypt the cipher $IM$, which is encrypted using the server's secret key $s_1$. Since all the secrets are in high order of entropy, the task of identifying the communicating user is next to impossible. Thus, we can conclude that the scheme provides initiator anonymity property.

The higher level of anonymity is untraceability where adversary has no mean to distinguish whether two login sessions are originated from the same user or not. The untraceability property is achieved by making login messages in each session randomized. There is no message or a part of message in the current login session which was appeared in the previous sessions. The probability that an adversary correctly identifies two sessions from the same user is the same as the probability of decrypting $IM$ without the knowledge of the server secret key $s_1$. This probability is inversely proportional to the size of the server's secret key. Since the server's secret is in high order of entropy, this probability becomes negligible.  In conclusion, our scheme provides both initiator anonymity and initiator untraceability.


\subsection{Performance and Functionality Concerns}
In this subsection, we present our scheme's performance comparing to Li et al.'s scheme. We make some assumptions of the sizes of all the parameters in the scheme as follows:
\begin{enumerate}
\item The block size of symmetric encryption/decryption function  and the output length of hash function are 128 bits.
\item The size of user's $ID$ and card $CID$ are 32 bits.
\item The random numbers, random nonces are determined by block size and hash function. Their lengths are 64 bits.
\end{enumerate}

The performances of our scheme and Li et al.'s are depicted in Table 1 and Table 2. As shown in Table 1, the computation costs  of each phase in our scheme are always smaller than the one in  Li et al.'s. In our scheme, we use only one-way hash function and symmetric key encryption. However, other than hash function and symmetric key encryption, Li et al.'s scheme utilizes elliptic curve multiplication which has high computation cost comparing to symmetric encryption and decryption operations. In addition, their scheme executes two elliptic curve multiplications in precomputation phase, but our scheme does not require this phase. In the password changing phase, our scheme does not require the server's service, therefore, there is no computation cost at the server side in this phase. Overall, our scheme has less computation cost comparing to Li et al.'s scheme.

\begin{table}
\caption{Comparing computation costs between ours and Li et al.'s}
\label{tab:1}
	\begin{tabular}{lll}
		\hline\noalign{\smallskip}



		Computation cost & Ours & Li et al.'s \\
\noalign{\smallskip}\hline\noalign{\smallskip}
		Registration phase at user & 1h & 1h \\

		Registration phase at server & 1h + 1s & 2h + 3s \\

		Precomputation phase at user & 0 & 2m \\

		Login phase at user & 4h + 4s & 8h + 4s \\

		Login phase at server & 5h + 8s & 10h + 10s + 1m \\

		Password changing phase at user & 1h & 1h + 6s \\

		Password changing phase at server & 0 & 1h + 9s \\
\noalign{\smallskip}\hline
	\end{tabular}

\vspace{1mm}
$h$: one-way hash operation\\
$s$: symmetric key encryption or decryption on one block\\
$m$: elliptic curve multiplication
\end{table}


In Table 2, the communication cost and storage cost of our scheme are compared with the one in Li et al.'s scheme. It is clear that the smart card's storage cost in Li et al.'s is about double comparing to ours. In addition, Li et al.'s scheme has to maintain a table for authentication purpose, this incurs the storage cost per user at server side. Other than higher storage cost, Li et al.'s also has higher communication cost than our scheme. Especially in the password changing phase, their scheme involves the server side computation as well as communication between server and user; thus, it also subjects to communication cost at this phase.


\begin{table}
\caption{Comparing communication and storage costs between ours and Li et al.'s}
\label{tab:2}
	\begin{tabular}{lll}
	\hline\noalign{\smallskip}
		Communication or storage cost (in bits) & Ours & Li et al.'s \\
\noalign{\smallskip}\hline\noalign{\smallskip}
	           Password length & 128 & 128 \\

		Storage cost in the smart card & 384 & 640 \\

		Storage cost in the server for each user & 0 & 128 \\

		The length of the first message in the login phase & 448 & 896\\

		The length of the second message in the login phase &  512 & 576 \\

		The length of the second message in the password change phase & 0 & 512 \\
\noalign{\smallskip}\hline
	\end{tabular}
\end{table}
\vspace{5mm}


Regarding functional properties,  our protocol provides mutual authentication key exchange with high security and efficiency. Server can authenticate clients, and clients can also authenticate server. The scheme allows clients and server to securely exchange a session key for subsequent communication after authentication. Furthermore, the proposed scheme provides initiator untraceability which hides client's identity from adversaries as well as leaves no trace for further analysis on client's identity. This is the result of scrambling the messages in authentication phase; there will never be the same login request message originated from the same client.

\begin{table}
\caption{Security Properties between ours and Li et al.'s}
\label{tab:3}
	\begin{tabular}{lll}
\hline\noalign{\smallskip}
		Security Properties & Ours & Li et al.'s \\
\noalign{\smallskip}\hline\noalign{\smallskip}
	          Mutual Authentication & O & O \\
	
		Key Agreement & O& O \\
	
		Initiator Anonymity & O & O \\
	
		Initiator Untrceability & O& O\\

		Against Denial of Server Attack &  O & X\\
	
                      Against Off-line Password-Guessing Attack & O& X \\

		Against Known Session Key Attack & O & O \\

		Forward Secrecy & O & O \\
	\noalign{\smallskip}\hline
	\end{tabular}
\end{table}
\vspace{5mm}

\section{Conclusions}
In this paper, we proposed a novel authenticated key agreement scheme which features initiator anonymity and initiator untraceability. The scheme has better performance comparing Li et al.'s scheme which also features initiator untraceability. Comparing with Li et al.'s scheme, our scheme has lower computation and communication costs as well as less storage requirement in both smart card and server.

Moreover, we had shown that Li et al.'s has weaknesses that affect its performance and security. We demonstrated that, in certain case, their scheme might be subjected to denial of service due to illicit modification or deletion of verification table. Another weakness of their scheme is that it is susceptible to off-line password attack. In our scheme, the mentioned weaknesses in  Li et al.'s scheme are resolved. Thus, the proposed scheme is efficient and secure in providing authentication and key agreement service.















%\begin{acknowledgements}
%If you'd like to thank anyone, place your comments here
%and remove the percent signs.
%\end{acknowledgements}

% BibTeX users please use one of
%\bibliographystyle{spbasic}      % basic style, author-year citations
%\bibliographystyle{spmpsci}      % mathematics and physical sciences
%\bibliographystyle{spphys}       % APS-like style for physics
%\bibliography{}   % name your BibTeX data base

% Non-BibTeX users please use
\begin{thebibliography}{100}

\bibitem{RefJ01}
Burrows, M., Abadi, M., Needham, R., (1990). A logic of authentication, ACM Trans. Comput. Syst., 8(1), 18-36


\bibitem{RefJ03}
Juang, W.S., (2004). Efficient password authenticated key agreement using smart cards, Computers and Security, 23(2), 167-173


\bibitem{RefJ05}
Juang, W.S., Nien, W.K., (2008). Efficient password authenticated key agreement using bilinear pairings,
Mathematical and Computer Modelling, 47(11-12), 1238-1245

\bibitem{RefJ06}
Kocher, P., Jaffe, J., Jun, B., (1999). Differential power analysis, Advances in Cryptology: Proceeding of CRYPTO 99, 388-397

\bibitem{RefJ07}
Ku, W.C., Chen, S.M., (2004). Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics, 50(1), 204-207

\bibitem{RefJ08}
Li, X., Qin, W., Zheng, D., Chen, K., Li, J., (2010). Anonymity enhancement on robust and efficient password-authentucated key agreenent using smart cards, IEEE Transactions on Industrial Electronics, 57(2), 793-800

\bibitem{RefJ02}
Juang, W.S., (2004). Efficient multi-server password authenticated key agreement using smart cards, IEEE Transactions on Consumer Electronics, 50(1), 251-255


\bibitem{RefJ09}
Messerges, T.S., Dabbish, E.A., Sloan, R.H., (2002). Examining smart-card security under the threat of power analysis attacks,  IEEE Transactions on Computers, 51(5), 541-552

\bibitem{RefJ04}
Juang, W.S., Chen, S.T., Liaw, H.T., (2008). Robust and efficient password-authentucated key agreement using smart cards, IEEE Transactions on Industrial Electronics, 55(6), 2551-2556

\end{thebibliography}

\end{document}
